LISA '06 Abstract
Pp. 187–203 of the Proceedings
LiveOps: Systems Management as a Service
Chad Verbowski, Microsoft Research; Juhan Lee and Xiaogang Liu, Microsoft MSN;
Roussi Roussev, Florida Institute of Technology; Yi-Min Wang, Microsoft Research
Existing Management Systems do not detect the most time-consuming and technically difficult anomalies administrators encounter. Oppenheimer found that 33% of outages were caused by human error and that 76% of the time taken to resolve an outage was taken by humans determining what change was needed. Defining anomaly detection rules is challenging and often cannot be shared across organizations. It requires a deep combined knowledge of the software, workload, system configuration, and tuning parameters specific to the workload and overall distributed application topology.
We present LiveOps, a scalable systems and security management service based on auditing the interactions between applications and the persistent state they use. This approach simplifies identifying security vulnerabilities, performs compliance auditing, enables forensic investigations, detects patching problems, optimizes troubleshooting, and detects malware/ intrusions. The service enables knowledge sharing across organizations and administrative boundaries and allows for seamless integration between analysis results from disparate management products that build on it. Our configuration-free agent collects all read and write access to registry entries, files, binaries, and process creation. The agents streaming lossless compression creates log files of only 20 MB per day containing an average of 45 million events. The scalable LiveOps back-end service can analyze 1000 machine days of logs in 30 minutes. LiveOps agents have been deployed on 1149 machines from home systems to corporate desktops, including 381 production MSN servers across 11 sites.
- View the full text of this paper in HTML and PDF. Listen to the presentation and Q & A in MP3 format.
Until December 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.